AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An organization stores sensitive logs in the prod-private-logs S3 bucket in its production AWS account. To run periodic queries, an analytics account currently accesses the bucket through a bucket policy that grants s3:GetObject to an IAM role in that account. Security policy now mandates that every cross-account access path uses an external ID. What is the most secure way to comply without breaking the analytics workflow?
Add a Condition element with sts:ExternalId to the existing S3 bucket policy so that the analytics role must present the correct external ID when calling GetObject.
Attach a service control policy (SCP) to the analytics account that denies s3:GetObject unless the request includes the required external ID header.
Create an IAM role in the production account that trusts the analytics account, includes a Condition requiring a specific sts:ExternalId value, attaches a policy allowing s3:GetObject on the bucket, and remove the direct bucket policy statement. Have the analytics workflow assume this role before accessing S3.
Enable S3 Object Lock in compliance mode for the bucket and require callers to specify the external ID through object version IDs when fetching objects.
An external ID can only be evaluated by AWS STS when an external principal tries to assume a role. S3 bucket policies do not recognize the sts:ExternalId condition key, so the requirement cannot be enforced there. The secure pattern is to replace direct bucket access with a production-side IAM role whose trust policy allows the analytics account to call sts:AssumeRole only when the expected external ID is supplied. The role then carries a permissions policy that grants the minimum s3:GetObject access to the bucket. The analytics workflow assumes the role and uses the temporary credentials to read the objects, satisfying both the security mandate and the functional need. Adding sts:ExternalId to the bucket policy, creating an SCP, or enabling Object Lock would not enforce the requirement or would block legitimate access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is sts:ExternalId and why is it required in cross-account access scenarios?
Open an interactive chat with Bash
Why can't sts:ExternalId be used in S3 bucket policies?
Open an interactive chat with Bash
What is the difference between a permissions policy and a trust policy in IAM roles?
Open an interactive chat with Bash
What is an external ID in AWS?
Open an interactive chat with Bash
Why can't sts:ExternalId be used in an S3 bucket policy?
Open an interactive chat with Bash
How does sts:AssumeRole work in the context of cross-account access?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .